Report TypesThe report feature offers different report types depending on the data you would like to view. Currently these report types are available:
Vulnerabilities ReportThe Vulnerabilities report provides information about vulnerabilities in your artifacts, builds, and release bundles. In addition to the information provided in the JFrog Platform on each of these entities, the report gives you a wider range of information such as vulnerabilities in multiple repositories, builds and release bundles. Criteria such as vulnerable component, CVE, cvss score, and severity are available in the report.You can define the information you want to see by defining a scope and advanced filters that provide you with a flexible vulnerabilities report, that is available both through the JFrog Platform and REST API.
Due Diligence Licenses ReportThe License Due Diligence report provides you with a list of components and artifacts and their relevant licenses. This enables you to review and verify that the components and artifacts comply with the license requirements. This report provides due diligence license related information on each component for a selected scope. Due diligence license information includes information such as unknown licenses and unrecognized licenses found in your components. You can define the information you want to see by defining a scope and advanced filters that provide you with a flexible due diligence report, that is available both through the JFrog Platform and REST API.
Operational Risk Report
Creating a Report
Step 1 Creating a New ReportNavigate to Application module | Security & Compliance | Reports and select Create New.
Step 2 Selecting a Scope
Select a scope to generate the list for that particular scope. You can only select one scope at a time.
Starting from Xray 3.27.2 and above with Artifactory version 7.21.3 and above, if you are using Projects, you can generate a Global Report on the Projects scope for all report types:
Select the repositories you would like to view information for in the report. You can narrow select specific repositories and include/exclude patterns to filter out specific repositories. In each field, you can specify a list of Ant-like patterns to filter in and filter out artifact queries. Filtering works by subtracting the excluded patterns (default is none) from the included patterns (default is all).
Consider that the Include Patterns and Exclude Patterns for a repository are as follows:
Include Patterns: org/apache/**,com/acme/** Exclude Patterns: com/acme/exp-project/**
In this case, the repository is searched for
com/acme/project-x/core/1.0/nit-1.0.jar but not for
because com/acme/exp-project/** is specified as an Exclude pattern
Builds ScopeSelect the build you would like to view information for in the report. You can select builds by name or by pattern.
Filter your builds selection by patterns, or select to view only the latest. You can also select the number of latest build versions. The default is 1 and you can set to any number to display the latest build versions.
Release Bundles ScopeSelect the release bundles you would like to view information for in the report. The selection of the release bundles scope is the same as the builds scope selection.
Step 3 Using Advanced FiltersUse advanced filters to narrow down the scope of the data you would like to see in the report.
- Vulnerabilities Report Advanced Filters
- Due Diligence Report Advanced Filters
- Violations Report Advanced Filters
- Operational Risk Report Advanced Filters
Vulnerabilities Advanced Filters
To filter out the vulnerabilities information you would like to see in the report, you can set advanced filters. Here are a few examples of how you can filter data:
Example 1: Filter by a specific CVE that was scanned on a particular date.
Example 2: Filter by CVSS2 Score, on a specific scan date, and contains a fix.
Example 3: Filter by a specific impacted artifact, published on a particular date and scan date.
Example 4: Filter by vulnerable component, and severity.
Due Diligence Licenses Advanced FiltersTo filter out the licenses information you would like to see in the report, you can set advanced filters. Here are a few examples of how you can filter data:
Example 1: Filter by licenses in specific components.
Example 2: Filter by licenses, in specific components and artifacts that were scanned within a time range.
Example 3: Filter for licenses by using a pattern.
Example 4: Filter licenses in componentsUnknown Licenses: View licenses in the report that are either known or unknown in Xray components. Unknown displays the components that Xray could not discover any licenses for.Found but Unrecognized: View licenses in the report that are either recognized or unrecgonzied. Unrecognized displays the components that Xray found licenses for, but these licenses are not Xray recognized licenses.
Violations Advanced Filters
To filter out the violations information you would like to see in the report, you can set advanced filters. Here are a few examples of how you can filter data:
Violations can contain multiple CVEs and multiple scores (based on the CVEs). The CVSS reports score filter matches are based on "at-least one score match" for each vulnerability. If CVSS score scope is set to 9, the report displays CVSS2 and CVSS 3 scores within the range 8-10. For each violation, Xray provides all the CVE numbers and all the scores
Example 1: License and Security ( View licenses and security violations in specific watches and policies, unknown licenses and security violations that are severity High)
Example 2: Security Violations (View security violations on a specific component, with a specific CVSS score range)
Example 3: Licenses Violations (View license violations in a specific watch, with high severity, and only unknown licenses)
Operational Risk Advanced FiltersTo filter out the Operational Risk information you would like to see in the report, you can set advanced filters.
Step 4 Generating a ReportAfter defining the scope and filters you can generate the report. The report will run in an asynchronous mode, and will be added to the report list page. New reports will be displayed at the top of the list.
Managing the Reports List and Performing Actions on ReportsAfter you generate a report, it will appear in the reports list. Each report in the list will have the following information:
|The reports given name|
|The author that created the report.|
|The time when the report started running.|
|The status of the report:|
|Progress of the report |
|The number of rows in a report.|